Ville Valkonen

Ville Valkonen

Quite often I hear the claim “on-premise is more secure than cloud”
Having worked in both the on-premise and cloud worlds for several years, this is an informed opportunity to dissect such claims into smaller subsets and do some comparisons.
Regarding cloud environments, I’ll stick with Amazon Web Services (AWS) which I am the most familiar with.

Physical security

Let’s start with physical security.
A properly configured server room must have the following topics covered:

Deny unauthorised access

Ways to prevent and detect tampering

Although not directly related to intrusion or unauthorised use, a fire alarm and fire suppression system must be present

All rack cases must be locked so that, for example, thumb drives cannot be inserted

Backups must reside in a remote location and must comply with the same security policy as the on-premise source

In cloud environments, the above-mentioned best practices are the responsibility of the service provider – if not, please change your provider – quickly!

With such best practices in place, a cloud customer doesn’t need to be concerned with the hardware aspects when designing a cloud-based system.

Another often heard claim is “Data is so sensitive that it cannot reside in the cloud”
Right, so why is that computer connected to the Internet?
Everything is crackable and the firewall in front of the computer is just a teaser in the game. If the data is that sensitive, then it must be in an encrypted format. You’ve got this covered, right? I hope so!
For these kinds of best practices, AWS offers great tools:

Encrypted S3 storage (object storage)

A Systems Manager Parameter Store to encrypt all values going into a database

Key Management Service to automate key handling, including key rotation and audit trail

(to name just a few examples)

If a virtual machine is being run, one should be aware that Spectre and similar hardware vulnerabilities will pose a danger to some extent; at least in the cloud where resources are shared.
An evil-minded attacker’s virtual machine instance will need to be located in the same host machine in which the victim’s instance is running.
These kinds of vulnerabilities are patched very swiftly as soon as the fix is available. Especially since it poses a danger to the core business. Therefore these attacks are short-lived – unless a new zero-day exploit is found. And even then, the zero-day exploit must be applicable and:

Moderately quick to exploit to have benefit

Success rate must be fairly high and it must give enough permissions to control the needed resources

An improvement would be to use cloud-native components to handle load balancing, container orchestration, message brokering and so on.
Why? Because those are constantly audited by the cloud provider, therefore resulting in a smaller attack surface compared to handling the whole operating system and its software components (and their updates).
Copying an insecure application into the cloud doesn’t make it magically safer.
Regarding security standards, AWS complies with the following letter and number bingos:

SOC 1/ISAE 3402, SOC 2, SOC 3

FISMA, DIACAP, and FedRAMP

PCI DSS Level 1

ISO 9001, ISO 13485, ISO 27001, ISO 27017, ISO 27018,

These standards fulfil the requirements for Nasdaq, the US Department of Defence, and Philips Healthcare, just to mention a few high profile customers. These organisations take security seriously and have a huge budget for their security teams.

In the AWS Aurora database is a Maria/PostgreSQL-compatible relational database service (RDS) that offers automatic scaling and updates.
Major version updates can be done this way too, though it’s against best practices to upgrade without testing. You have been warned! That diminishes the burden of updates drastically.

The biggest cloud providers, namely Amazon, Google and Microsoft, have some of the most talented people in the field working on their products to keep their customers’ data secure. Compare this to on-premise scenarios where, in the worst cases, it’s a one-man show. If (s)he is not really interested in security, then it’s a security nightmare waiting to be unleashed.

Nothing protects faulty configuration choices in the cloud either, though some things are harder to make globally reachable by default.

In conclusion, cloud is not a new kid on the block anymore.
Learn your environment and implement with best practices.
Correctly configured cloud is secure and might save the administrator/DevOps/whatever from nightless nights.